ATL BitLab LogoATL BitLab

How to Choose Sovereign Software - The Sovereign Computing Show (SOV019)

Tuesday, August 12, 2025

Not all software is created equal when it comes to digital sovereignty. In this episode, Jordan Bravo and Stephen DeLorme break down their framework for evaluating software that respects your freedom and privacy. They cover why open source isn't always a guarantee, how to spot healthy vs abandoned projects on GitHub, the importance of data export capabilities, and sustainable business models that won't disappear overnight. Plus, news about Samsung killing bootloader unlocks, EU age verification requirements, and reviews of new authenticator apps from Proton and Ente.

Chapters

  • 00:00 Jordan's Opening Quote on Software Choice
  • 00:27 Introduction and ATL BitLab Sponsorship
  • 01:45 Welcome and Contact Information
  • 01:55 News: Samsung Kills Custom ROM Support
  • 02:53 No More Bootloader Unlocks on Samsung Devices
  • 04:48 Security Trade-offs with Unlocked Bootloaders
  • 05:50 Samsung's Motivations: Security vs Control
  • 07:43 News: EU Age Verification Requirements
  • 08:40 Digital Sovereignty Alarm from Privacy Advocates
  • 09:42 EU's Contradictory Privacy Stance
  • 12:39 Decentralized Identity vs Google Monopoly
  • 14:52 Proton Authenticator: Google Authenticator Alternative
  • 16:32 Open Source 2FA with Zero-Knowledge Sync
  • 18:04 Security Concerns of All-in-One Solutions
  • 22:50 Standalone App, No Proton Account Required
  • 23:41 Ente Auth: Self-Hostable 2FA Alternative
  • 24:55 F-Droid Support and Open Source Commitment
  • 25:48 Main Topic: How to Choose Sovereign Software
  • 26:11 Open Source as a Starting Point
  • 26:56 Cross-Platform and Alternative App Stores
  • 27:36 No Vendor Lock-In and Data Export
  • 28:35 Why Software Choice Matters Long-Term
  • 29:48 Stephen's Framework for Evaluating Software
  • 30:17 Investigating "Open Source" Claims
  • 31:38 Checking GitHub Activity and Maintenance
  • 34:58 How to Evaluate GitHub Projects Live Demo
  • 38:11 Understanding GitHub Issues as Health Indicators
  • 42:27 Contributors and Community Health
  • 43:38 Open Standards and File Formats
  • 46:29 UI/UX Quality Matters for Daily Drivers
  • 50:32 Sustainable Business Models and Monetization
  • 54:34 Conclusion and Future Episode Tease

Links

Transcript

SOV-019 Choosing Sovereign Software

Jordan Bravo: [00:00:00] Choosing new software is important, ~~if,~~ if it goes well and it becomes part of our daily workflow, we might be using a given piece of software for years, maybe even decades. So it's important when we make these decisions, we don't want to get sucked into a vendor like a walled garden, right? So anytime you make a choice about adding a new piece of software. I think it's important to keep that in mind, "How hard would it be for me to leave if I ever had to change apps?"

Jordan Bravo: Welcome to the Sovereign Computing Show, presented by ATL BitLab. I'm Jordan Bravo, and this is a podcast where we teach you how to take back control of your devices. Sovereign Computing means you own your technology, not the other way around.

Stephen DeLorme: This episode is sponsored by ATL BitLab. ATL BitLab is Atlanta's freedom tech hacker space. We have co working desks, conference rooms, event space, maker tools, and tons of coffee. There is a very active community here in the lab. Every Wednesday [00:01:00] night is Bitcoin night here in Atlanta. We also have meetups for cyber security, artificial intelligence, decentralized identity, product design, and more.

We offer day passes and nomad passes for people who need to use the lab only occasionally, as well as memberships for people who plan to use the lab more regularly, such as myself. One of the best things about having a BitLab membership isn't the amenities, it's the people. Surrounding yourself with a community helps you learn faster and helps you build better.

Your creativity becomes amplified when you work in this space, that's what I think at least. If you're interested in becoming a member or supporting this space, please visit us at atlbitlab. com. That's A T L B I T L A B dot com. Alright, on to our show.

Stephen D-2: Welcome to the Sovereign Computing Show. I'm Jordan Bravo. I'm recording today from the Heart of Atlanta at a TL Bitlab with Steven De Alarm.

What's up? Today we're gonna talk about how to choose sovereign [00:02:00] software. What do we look for? What are the signs that software is better than others. So we're gonna get into that. But first, we have a few news items and products and applications to look at First, the article is called Say Goodbye to your Custom ROMs as One UI Kills Boot Loader Unlock.

And what this is about is Samsung has announced that it will no longer allow. People to use to unlock the boot loader on Samsung smartphones to be able to load their own custom operating systems on it. So what this means is that if you, want to use any other, like de Googled Android, whether that's Graphos, lineage os, calx os, you cannot use that with Samsung devices.

The article mentions that this is actually not going to change anything for United States users [00:03:00] because Samsung took away the option there to unlock the bootloader years ago, but it was kept open for users in other parts of the world. But that is gonna change starting soon with their next major version.

if you had hopes that you could use a Samsung phone to load a. De Googled os on there version of Android, then unfortunately Samsung is not gonna be an option in the future for anybody, and it's not an option in the US currently. So this is unfortunately a step backwards in my opinion. Right now we have Google Pixel is the only phone that Graphos can be loaded onto because it's the only phone that can unlock the boot loader.

Put on a custom RO and then relock the bootloader, which gives you the most amount of security, protects you from evil made attacks, physical in person attacks on your phone, on your device. However, if you are less concerned about that and you're willing [00:04:00] to have that risk of an unlocked bootloader, there are other brands out there.

now Samsung is no longer an option, but there's Motorola, I believe. I don't know. I'm blanking on other brands. Do you have any off the top of your mind? I don't. So this is unfortunate, this is one less option for people to use on Android, for D Google oss, but ultimately it's not the end of the world.

There's still plenty of other options out there, but just wanted to bring this to your attention and something to keep in mind. So you mentioned that the, there's like kind of that security risk with, having the boot loop loader open and being able to load your own custom firmware on there, that, is that just kind of a risk that's always going to be there with stuff like graph and os?

No. In fact, graph Os in particular is the, one of the reasons they only support being loaded onto the Google Pixel is because the Google Pixel is [00:05:00] the only Android phone where you can unlock the boot loader. Put on a custom Os and then re-lock the boot loader. Oh, okay. So Graph Os doesn't suffer from that vulnerability.

But if I have, let's say a Motorola phone and I, it's of a kind where I can unlock the boot loader and then I load like Lineage os let's say on there, or Calx os. Now I've got a De Googled phone, a de Googled Google Os on my, on my Motorola phone. But I don't have the ability to re-lock the boot loader.

So if I left my phone in the room and you wanted to install malware on it or compromise it and you had physical access to it, you could do that. Got it. You could mess with the operating system somehow. Do you think, uh, I'm just curious with like devices like these, do you think, uh, what would be their argument for, uh, you know, making a change like this?

Is it like, you know, well, we, want to make our users more secure so we don't want to have the option to even foot [00:06:00] gun yourself with an open boot loader? Or is it something more like, well, we don't make as much money on, you know, data collection or something if this is, you know, accessible to be replaced with a open source operating system.

Do you have any ideas? you know, you'll probably never hear that second one that you mentioned, but that might be part of the motivation, however. I often hear, the first one I have, they don't say anything in this article about why Samsung is doing this. They don't, they haven't like released a press statement.

But what I typically hear is, as you mentioned, it's all in the name of safety. You know, we don't wanna our, we want our users to be secure. We wanna protect against malware, et cetera, et cetera. So by restricting freedom on the phone, freedom to load your own operating system. Yes, in theory they are making you more secure, but they're also removing your ability to do what you want with your own device.

Yeah. Got it. [00:07:00] Any other thoughts on this article? think I'm good. Yeah. Pretty, pretty straightforward, not the end of the world. The next one we're gonna look at is the headline reads, privacy Advocate Sound, digital sovereignty, alarm, and, um. This is all about the age verification requirement in the the European Union, the eu, uh, you might've heard this, but a lot of, EU legislation's being passed now, I think, I think it started with the uk, but also is going live in the eu where they are forcing users to have to dox themselves to, to basically KYC themselves, to provide

ID and age and, um, identification verification in order to be able to use some basic apps. So like, imagine you want to download an app from the Google Play Store. You have to first upload your driver's license or your government ID [00:08:00] to your Google Play account, and then they have to approve you and make sure you're not on a bad person list.

And then you're allowed to download. And then of course they keep track of everything that you download. So this is pretty dystopian and, absolutely in the opposite direction of, of digital self sovereignty. And I don't know what the eus like goal is for this, but it just seems really. they've been doing a lot of stuff lately in this direction of just making it kind of like a surveillance dystopia in the eu.

the weird thing about this is they, I didn't pull up the article here, but there's another thing, another article about how the EU is publishing papers on how they want to be more digitally sovereign. Yes, that's right. They want to be more digitally sovereign. Yeah, but they also institute all this [00:09:00] surveillance crap.

So it's kind of like a Dr. Jekyll, Mr. Hyde, or maybe the reasoning is that they wanna be more sovereign from other countries. Like they're, they're sick of relying on American tech companies, but they themselves have no problem with being big brother when it comes to their own citizens. Yeah, that's absolutely, yeah, it's a geopolitical concern.

It's that we wanna, they want to be able to, be able to have greater control over where their silicon comes from and, how the, the chips are made probably, and what software they're using, what their supply chain risk, geopolitical supply chain risk is. but yeah, it doesn't have anything to do with making the citizens more digitally sovereign.

I will say though. It, I'm kind of torn because when I see stuff like this, they also talk about moving in the, in the same way that they wanna move off of like big tech platforms from the us like Microsoft, Google, et cetera. They are putting a lot of money into open source [00:10:00] software. So you'll see governments and big corporations adopting open source alternatives. We're talking next cloud instead of Google Docs we're talking, or Microsoft, you know, we're talking, matrix instead of Slack, Microsoft teams, that kind of thing. So in on the one sense, in the one sense, it's really cool to see these open source projects getting a lot more, use a bigger user base, which means more funding, which means better features, more people using it, more security, more people developing for it.

But on the other hand, if I lived in the eu, I would really be pissed off. I would, I would feel like the walls are closing in when it comes to digital sovereignty and freedom. it's, it is interesting though. It does say it's, they're trying to provide privacy, preserving, digital proof of age for accessing restricted online services.

It, it uses, it's built on the European Digital Identity Wallet blueprint. The system uses, uh, anonymous credentials and data minimization principles. However, security requirements [00:11:00] mandate Google Play distribution exclusively. So, you know, I haven't dug into the, Specifics of how this is built or how this technology works.

If it does indeed verify privacy, it's not out of the question that it could actually use some sophisticated, you know, arrangement or cryptography principles to be able to verify age without, like keeping a record of the identity. It's, it's not impossible. to me it seems like this issue is less about, this might be less about privacy and more about Google, right?

Because like when you look at stuff like the dead spec and decentralized identity, a lot of people have been working on decentralized identity projects for, for decades now. And, uh, you know, it's not like the kind of topic that. Really gets talked a lot about, in like mainstream circles.

People like to talk more about like in the bitcoin side of things, noster and outside of that people talk about blue [00:12:00] sky and stuff like that, but like decentralized identity, a lot of people have been working on it and for credentials for a long time. And you can do the kind of stuff with that where you can like, have a credential issuer that issues you, a credential like you do go through a, you know, standard KYC process.

But then they issue you like a digital credential. and with that digital credential, it makes it so that you can then verify that you meet a certain criteria without having to actually verify your age or actually verify your identity. So another take on this is that, This might actually, it might actually be a good thing.

Again, I haven't really dug into the specifics of that, but if it's built on some of those decentralized identity fundamentals and verifiable credentials, this actually could be the kind of thing where you can verify age, without needing to know their identity. and that could be, you know, really powerful for like, making it so that like kids can't get to porn sites and [00:13:00] stuff like that.

but I, I think that the key thing that. Might be critical here is like Google's Grip Titans on EU digital identity. Just like the concern I'm seeing in this article and a a, a brief perusal is just the idea that it only works in the Google Play Store the way it's currently defined. And so, by only working in the Google Play Store, it could completely cuts out all of these open source app stores.

Yeah, it would be really cool if they are using. Decentralized or, yeah, decentralized id, technology and verifiable credentials. That would be cool. But the problem is it, it is a Google centralized platform, so it's not like Google is, at least we don't know from the article here, Google doesn't seem to be opening it up to multiple providers, and as long as you're following the spec, can verify yourself.

But that doesn't seem like at all what's happening here. It seems like they're. More locking down. You have to use Google [00:14:00] Play. You have to use the Google Play Integrity, API. and quoting from the article here, it says, this means apps from Steroid Aurora store or side loaded installations, face elimination.

And so we've talked about this before in previous episodes about alternative app stores, and this sounds like it's gonna make it even more difficult or even impossible to be able to use those.

Bummer. Yes. Yes. If you are in the EU and you happen to be listening to this, let us know what you think are, are you concerned about this boosting? And let us know what we got wrong about it too. Oh yeah. I think when I jumped into the show today, I forgot to mention that you can email us. Our email address is sovereign@atlbitlab.com.

And don't forget, you can also send us a message with a Boosto gram in a podcasting 2.0 app, such as Fountain FM [00:15:00] or Pod Verse, or any of the others. Alright, let's move on to the next article. I wanna look at a couple of apps now, and for two factor authentication. A lot of people are familiar with Google Authenticator.

What people might not know is that. Google Authenticator is an implementation of an open source spec of the time-based one-time password specification. that's where you open up an app and you see a 32nd countdown timer and every 30 seconds it shows a new six digit code and you copy and paste that code into your whatever you're logging into, and that's how you get two-factor authentication.

So all of that, that whole scheme, that way that works is a completely open specification. And Google Authenticator just being the most well known by most people. But there are other options, and one of 'em we're talking about today is a new offering by Proton. We [00:16:00] talk about proton a lot because they are, um, catering to privacy.

They, they're a privacy respecting company and they offer a lot of open source software. And today we're talking about Proton Authenticator. This is a alternative to Google Authenticator. Some of the, benefits that Proton Authenticator provides over Google Authenticator would be that they're from a company that, respects your privacy and their whole business model is to preserve your privacy rather than Google, whose business model is to mine your data.

it is also open source. It has, zero knowledge syncing so that you can sync it across devices without, but it's completely end-to-end encrypted. And, uh, and then if you go to one of these classic, uh, marketing charts where they show this product against other competitors, they show that Google, excuse me, proton Authenticator is open source, encrypted sync, no ads or tracking [00:17:00] cross platform.

So it's for Android, iOS, windows, Mac, and Linux. That's cool that they have desktop clients as well and they have direct export, meaning if you ever wanna pull your data out of it and use another app, you can do that very easily. Steven, have you had a chance to try a proton authenticator? I have not though.

I'm excited to try it. This, uh, whole chart full of green check marks makes me excited. I currently use Offie. I had to compare the logo here against the one on my phone, and they're actually. Oh, I see what they're saying. I thought that was saying they don't support Android to, sorry. yeah, I mean I, I've always used, uh, AUI and that's worked pretty good 'cause it at least has that encrypted sync, check mark, the Google one hasn't.

I think they stopped supporting the desktop application, which got really annoying 'cause I used to love having the desktop application because then I could just like. Get the two FA codes without pulling my phone outta my [00:18:00] pocket. so it'd be cool if Proton, is going to have the, uh, the same one here.

Uh, that'll be nice. I think one potential security concern that I've been thinking about with two FA codes though, is that there's, I've definitely seen a movement to try and make two FA codes like easier to use and, like for example, one password actually supports. Two FA you can actually put in, you can actually put the two FA codes inside of one password where you store the username and the, the, you know, the email and the password and all that kinda stuff for our website.

And that can be a little problematic because you think about that the whole, like the two FA code is supposed to be unique. It's supposed to be a separate, a second authentication factor aside from the password. So that if your password gets compromised, you still have this other layer, this other factor that keeps your data and your account [00:19:00] separate.

And so in the event of one password, I think it's kind of interesting that they support it. 'cause it's like, well, if somebody did get my password, it might mean they have access to my one password and if they have access to my one password, then they also have access to the two FA. It doesn't mean they have access to your one password.

They could have gotten your password through other means, but. Just saying that if they did get access to your one password, they would have all of that. And I imagine that it's the same with Proton Authenticator, like the way a lot of their services work is that it's like, I think it's like the proton drive and calendar and mail.

It's all kind of encrypted against the key that's like derived from your, your password. So, if you're using Proton has a password manager, so if you're using their password manager. Or you're using proton mail and you're using Proton two FA, like you just run into this scenario where like if you're using the password manager and the two FA and if that password gets leaked, they kind of have access to all of it.

So, you [00:20:00] know, it's one of those things you gotta be careful with. It might be worth like kind of breaking it up and like using authenticators from different services or. I, I don't know. I, I'm not sure, but it, it does seem like a slight potential risk. But having said that, I'm glad that there's another, uh, two FA thing on the market and, you know, I think proton's a, a good actor in the space and all of that, so happy to see that they have a product.

Yeah. So what you're saying, I know exactly what you're talking about with the separation or the supposed separation that you just, you, you're recommended to have there. I use Bit Warden right now for my two-factor authentication and like you were saying, with one password, I've got my passwords and my two FA codes in the same application, and so.

If somebody were to compromise, get into my bit bit warden password manager, they would have both my passwords and they would have my two FA codes. Like you were saying. I personally [00:21:00] have, I consider it worth the risk. I don't know, maybe I'm being naive, but I, I feel like if my bit warden is compromised, that's, that's a problem right there.

Right. I have a bigger problem in my hands, so. By having two FA in bit warden, it's, it's a simple like one click or one key press when I'm logging into something. So it'll ask for my username and password. That's one key press, and then two FA one another key press and boom, I'm in. Could it be more secure if I put it on a separate device?

Probably. But I feel like it's a acceptable balance. Yeah, it might be. I mean, it just depends on the threat model, I guess. 'cause that's the thing, it's like I, I guess when I think about how your password gets leaked, it's probably more likely to get leaked by like something that intercepts your password from [00:22:00] a, a form input, like some kind of malicious script on a website or.

A, a key logger or something to that effect? probably, or, you know, if, some website service doesn't, you know, is using a weak encryption algorithm or like a weak, weaker hashing algorithm for storing their passwords, um, they're not salting their database properly. All that stuff, your password gets, reverse engineered through like a database dump.

With rainbow tables, like then, if that's the threat model, then yeah, totally. They're they're not in your password manager. So Yeah. I can see you feel. Another example would be your email gets compromised and somebody goes and resets your password on a website, but if they don't have your two FA code, they can't log in.

Yeah. so one thing I wanted to point out here is that if you want to use proton authenticator. One, it's completely free. You don't have to sign up [00:23:00] for other proton services. And two, again, you don't have to sign up for other proton services, meaning it's separate. So if you are not using any of the other proton products, you can still use Proton Authenticator as a standalone app.

You don't even have to create a proton account. Hmm. Wow. A any other thoughts on this? 'cause I wanna talk about one other Authenticator app. Yeah, yeah, I'm good. Okay. The other Authenticator app is called Entente, ENTE. And Ntte actually has a, their main product is a, uh, sort of a Google Photos alternative, but their auth, ante auth is another just good authenticator app.

It is open source, it's end-to-end encrypted for syncing. And, it is completely free to use and, and it is also self hostable. So if you want to just by default you can use their servers for syncing your end-to-end, end-to-end encrypted backups. But you can also self-host it. [00:24:00] I have not a chance to do that.

This is actually pretty new on my radar, but I think at some point I might give it a shot. Sweet. Yeah. Yeah. Yeah, that's probably more than I'm, I'm gonna be lazy and use, uh, stuff like proton authenticator. One thing about auie, I did use to use auie, but I found that you have to use a phone number with them, and I don't like that.

So I, I'm bullish on proton, authenticator, ante bit warden, these, these kinds of options. Yeah, I want to get off, off, honestly, I've been using it for too long. It's time to make a, a fresh start with a new authenticator app. I like how on the n intake auth page, there's a, it gives you the different download options and it's got the usual platforms, but it also lists Foid.

Nice. So they, they're clearly [00:25:00] respecting people's choice of mm-hmm. Of App Store. It's a nice looking marketing website. Yeah. Real quick, even though this is kind of off top, off topic, click on the ante homepage and you'll see their main product. Hmm. Which is again a Google Photos alternative. Did we cover this on another episode?

We have not. We briefly talked about image, but it might be good to do a deep dive on ante. Hmm. Pretty cool. Yeah, I like the sound of it. All right. Well, that's all of the apps and articles we wanted to look at. Today we're gonna talk about our main topic, which is how to choose self sovereign software, and what do we look for when choosing software.

I'll go through some of the things that I look for, and then Steven, maybe you can share your opinions. I would say I look for the following. I would prefer an app to be open [00:26:00] source. It's not an absolute requirement, but it gives me a lot more trust and comfortability with the project. another plus is if it is self hostable.

Again, I may not self-host it right out of the gate. Some people may never self-host it. That's fine. But the fact that you can, I feel like it's a very ethical business model. They're saying we don't have any magic secrets that we're hiding. We have the, the source code is open. You can even host your own server if you want, but most people are happily willing to pay for.

the convenience of having a company host their own infrastructure for them. So to me that's a very ethical business model. It's compatible with privacy and digital self sovereignty. Another thing I look for is if an app is cross platform, obviously, I'm partial to more open platforms and we know that Apple is pretty locked down.

But even if they do have an Apple offering, I wanna see them having [00:27:00] a Android offering. It's great if they have offerings outside of the play Google Play Store. So if they are offering it, let's say on Foid or any of the other alternative app stores, that's even better. Or if you can just download the A PK, that's also great.

Another thing that I look for is I don't want any vendor lock-in, and so I look for how easy do they make it to exit or to export your data? So if you are unhappy with the service or maybe they just go outta business or go offline and you need to take your data and go to some other company, how easy is that?

Do they make it directly exportable in a common format that you can easily import somewhere else? And on that similar note, do they use open standards or open formats? Do they, is there data locked behind some proprietary format that nobody else uses and maybe is completely opaque? Or is it something that everybody uses?

Is it [00:28:00] A-A-J-S-O-N file, let's say? Or is it a, maybe a markdown or YAML or something like that? Something that you can easily save it and it's, it's plain text. You know, you could read it with your eyeball if you want, and then you can easily import it into some other app that it uses a, an open standard as well.

Any, um, anything that you wanted to, well, let, let me get your thoughts as well and just kind of go through your thought process, Steven, when you're looking for new software, when you're trying it out and maybe considering, do I wanna make this as part of my workflow? Because

Jordan Bravo: choosing new software is important,

Stephen D-2: right?

We. We're gonna be if,

Jordan Bravo: if, if it goes well and it becomes part of our daily workflow, we might be using a given piece of software for years, maybe even decades. So it's important when we make these decisions, we don't want to get sucked into a, vendor like a walled garden, right?

Stephen D-2: This is, this is a classic Apple technique and uh, apple makes a lot of [00:29:00] great stuff, but they also are notorious for locking you into their ecosystem.

So. They, you're using their phone and their laptop and their software and now, you know, you might say, you might look elsewhere and say, you know what, I would love to use software X for something, but I can't because it would be, I would have to change my entire ecosystem over. Right? So that's a lot of momentum that's holding you into their ecosystem.

And that's kind of,

Jordan Bravo: so anytime you make a choice about adding a new piece of software. I think it's important to keep that in mind. How hard would it be for me to leave if I ever had to change apps?

Stephen D-2: Yeah. I think I agree with everything you stated. I mean, I, I wouldn't disagree with any of those points.

on the open source side of things, I think it's important to investigate and dig a little bit deeper. No. [00:30:00] Using open source as a buzzword. like it's a thing that you can fall for easily when companies just throw around the word open source on their marketing website, or sometimes they don't use open source as a term.

They'll just put a link to GitHub to like, make it seem like, oh, we're cool developers. We have a GitHub, and we, we share our code. And then you click into their GitHub and it's just like, I don't know, an example repo or something like that. I mean, I've seen like tech startups that will put like a link to their GitHub just 'cause I guess they think it gives them like cool points, but it'll just be like a read me file with, you know, some markdown links to their API docs or something and it's like, okay, that's not open source.

It's you just have a GitHub profile and then. Uh, even when a product advertises themselves as being [00:31:00] open source and it actually is like, you then have to question like, well, is it maintained? And one thing I look for is just going to the GitHub page and just seeing in the commit history has anything happened recently.

And if you see something that's like updated a year ago, that might be a red flag. if it says updated four years ago, that's a serious red flag. if it says updated a year ago, that might be more like an orange flag. Uh, it kind of depends on the, the, the software in question, like is it the kind of thing that doesn't need frequent updates?

Even a year though is still a long time, and you would think that there would be some. Security updates or something. But if it's a simple enough application that doesn't really deal with sensitive data, I could totally see it going by for a year with no updates. But you just gotta kind of keep that in mind, that if there's no update history, it might not be maintained.

[00:32:00] and you know, then it's like, even furthermore, it's like, I like to think about like, well, who maintains it? Is this like. Is this a startup that's moving fast and it's going to be subject to change because they're just iterating quickly? Or is it, you know, the kind of project that actually has like a community behind it?

because when there's a community behind it, even if there's a, a startup that backs it, when there's like an open community for, you know, even if it's just like a Discord or something, if there's kind of a place where they invite people to. You know, share feedback and, you know, if they welcome contributions from people outside of their company, then that, signals that, okay, well this is like a robust open source project where they're thinking about long-term maintainability and stuff like that.

so that makes me feel a little bit safer adopting it if I can see [00:33:00] more frequent commits and if I have a better idea of. Who is maintaining it and all of that. And I think a company can actually be a great thing. I mean, there's a lot of examples of open source projects that have been either maintained by companies or nonprofit foundations dedicated to serving the project.

and that, that can actually be really good because then, you know, you actually have people who are on the payroll of the project, so to speak. They can, commit a lot more serious quality time towards maintaining the project. versus a project that might just be some developer's kind of hobby project or something like that, that they might forget about in six months.

So that's kind of what I think about when I think about open source at least. No, that's a great point. Open source is not a panacea if it's not a silver bullet. That will solve every problem. And like you mentioned, there is a. Wide spectrum of [00:34:00] open source projects in terms of quality, right? You have something on the one end is like this unmaintained hackathon project that somebody threw up four years ago after a weekend session, and then on the other end of the spectrum might be something like proton authenticator, right?

By a company that's, I, I don't know. I haven't seen their repo, but I'm just saying hypothetically, it's well maintained, well funded. It's not going anywhere anytime soon. it's, it uses professional coding guidelines and, this high quality. So keeping all that in mind, you, you mentioned you wanna see some recent commits that that gives you more, confidence in, in the project.

Maybe we could show people how to check that. Like, let's say they find a link to an open source project and it takes them to GitHub. You know, maybe they don't know anything about GitHub. They've never used it before. How do they check the commits? Well, let's see. So why don't we just pull up this NT one as an example.

Um, so I'm assuming this is [00:35:00] one who is open source. Let's find out. Hey, open source mobile Web, desktop, COI. So I can see here in the footer for those that are only listening, I've gone down to the footer of this NT Authenticator app, which talked about earlier in the footer, I found something that says open source.

Uh, a column and there's links for mobile, uh, web, desktop, CLI. So I can click on all those. I'll click on the mobile one and see. And just so people know, sometimes you'll just see a, a GitHub logo, uh, which is the little Octo Octocat. Yeah. And that, that's usually takes you to their GitHub repo, which is their source code.

And it looks like this is like a monorepo that has stuff for mobile, other, and desktop and all the other. You know, flavors of their app, inside of it. So I'm actually gonna click on, I'm, I'm in like a subdirectory full of all the files. I'm actually gonna back out and just click on the main project name, which is nt and then I can see here, under the phrase nt, just at the very top of [00:36:00] GitHub, it has like, make CI fail on warnings.

And it says committed 16 hours ago. and it has a little, you know, picture of the person who committed it or, all that. Another thing I can look at is I can go onto the side and I can look for releases and it'll usually tell you, so commits are like the developers pushing updates, but they don't always, they don't always make that like an official release, right?

Like the developers are usually always pushing new code. to a frequently maintained project, but that doesn't necessarily mean that they're cutting a new release, which is when they're like, okay, we are done working on this new version of the software. We are giving it a release. We're giving it a number.

In this case, it's off V 4.4 0.3. Sometimes they give it kooky names. It was released two weeks ago. That's a good sign to me too, because it means that they're, you know, they're, they've recently done new releases and I can go back in time and. So this one might be a newer [00:37:00] project, maybe because Well, you're looking at the specific release.

Oh, you're right. Yeah. If I go to releases, if I go back a page, I can see all of 'em. And it says, okay, two weeks ago, three weeks ago, July 3rd, July, June 2nd. So it seems like they have one release every month, which is okay. That's, that's a good sign. It's like, look, I'm not gonna go through and, you know.

Pick through every single bullet point of the change log for all the release. But I can scroll through this page and quickly get the idea that this is a well-maintained project. It has a very consistent, cadence for cutting new releases of the software. So this to me, just kind of eyeballing it on live on the pod.

It looks to me like it's a well maintained open source project. Another thing that I like to look at is going to the issues. Yeah. So if we scroll to the top of this page and we [00:38:00] go under the repository name, we can click on issues and there's 386 open issues right now. and just 'cause there's 386 issues doesn't necessarily mean it's bad in my opinion.

You know, you, what I tend to find is that the more a piece of software gets used, the more issues it has. and the, I think the, the reason for that is because as it for twofold, as it grows in size, like as they add more features, every feature adds a little bit more complexity. And then when you have more users and more people using it, you increase the likelihood that someone will use it in a way that you didn't expect and uncover a bug that you didn't know was there, or request a feature that you didn't know that they wanted, that sort of thing.

So, then when it's a public repo, you also, or I should say when it's open source with a public [00:39:00] repo, you. it's a little bit different. Like people can just open issues. It's not like a closed help desk where you can't see what people are asking at the help desk. It's like a public help desk and you can see, everybody asking for stuff at the help desk.

And so some of these are gonna be good requests. Some of these are gonna be bad requests. Some of these are gonna be serious, absolutely critical. We need to fix immediately requests. And some of these are like, eh, you know, it can wait till later. That's. That would be a, a nice to have. so anyways, that was a little bit of a rant, but context for people that aren't used to looking at GitHub issues.

And I would just add that it, it's less about the number of issues and more of. Are people reporting issues and are they being responded to and either worked on or closed for other reasons? So in this particular repo, we could see that there are 386 open issues, but there are 796 closed issues. So it sounds like a [00:40:00] lot of issues are being closed.

Again, we don't know. If those were good or bad issues, if they were trivial or, or important critical issues. But the fact that somebody is actively maintaining this repo is evident by the fact that issues are being addressed.

Yeah. And you know, like for example, in this issue I pulled up, it's like. You know, sounds like this, you know, someone's having an issue with faces not being synced between desktop and mobile, and it looks like somebody who works on the project says, sounds like it might be an issue with the mobile app not being able to re decode those pictures properly.

Can you reach out to support with the logs and we'll take a look. And so it looks like this kind of got turned into more of like a customer support thing, rather than an actual. Code change in the project. and that's the sort of thing is when you run into stuff like this that are like big, well-maintained public projects like you, sometimes the issues kind of ends up doubling as like a customer support pipeline [00:41:00] and all of that.

But, you know, you can get a feel for the pace of the project and that's good that somebody responded to it. So, it seems well maintained. Yeah. I notice this is the, this is not the Ante Authenticator. This is the Ante Photos app. Yeah, that's right. I was on Correct. Good. Good call. We had, navigated to the photo app when we were finishing up that topic, so I already had the tab open for it.

However, everything we just mentioned about looking at the repo and judging the software and the, the project, this all applies. It's, it doesn't matter if this is the authenticator app or the photo app. Yeah. And I'm not going to like shame some poor open source project here on the podcast, so I'm not gonna go hunting around on GitHub trying to find a bad example.

But you can imagine that. You know, this gi, you know, the GitHub issues might have issues not being responded to. and you know, it might say committed four years ago and there might [00:42:00] be an inconsistent release schedule. And hey, some of my open source projects are like that too. Inconsistent release schedule.

So. it happens to the best of us. you know, it doesn't mean that the people who made it are, uh, bad people or anything like that. It just means that, uh, it just might, you know, signify to you the difference between a well maintained, super robust project versus something that's maybe a little bit new or maybe more of a hobby project, right?

These metrics are all health indicators of the project. No single one. Is is necessarily a death nail or, you know, make or break. But another indicator that we could look at is the number of contributors. Mm-hmm. So if you scroll down on the right side of a, any GitHub project or even GitLab or other repo, you'll see the contributors and they'll have a number, which is a number of contributors, and then a bunch of, uh, little avatars of each person's account who's contributed.

So. This has [00:43:00] 215 contributors, that is a very healthy number of contributors. So that's, that's another, a plus for this project. Yeah, I think on some of the other stuff you mentioned too, like, I mean, yeah, self hostable is always great. I don't really have, you know, too much to comment on there. Cross platform, no vendor lockin, open standard format.

Yeah. I mean, I agree with all that. Some, some, I guess it depends on the software you're using. Some, some types of applications might not even have open standards or formats, but it's good when they do. Like, an example of that to consider would be like, let's say you're talking about word processing.

Well, there's ODT, the open document type, or I think ODSI think is like open spreadsheet or something like that. ODF or format. Yeah. And you know, that was an alternative to Microsoft Word, Microsoft Excel, all of those types of Microsoft Office files. And I'm [00:44:00] sure that was pioneered with open office. I might be wrong on that, but there's also Libre office and there was other like word processing and shout out to only office.

Only office. Yeah. Never heard of them. but yeah. So they must support that same format, I'm assuming, or you wouldn't have brought them up. So like yeah, like the, these sorts of, that's an example. Like, okay, that format works across, you know, all of 'em. I think another way to think about it too is like what, for what the purpose you're using.

Is this application going to be a one time thing or is it going to be something that's kind of like. Deeply embedded in your life forever. So like, if you're choosing like an email client or a password manager or a chat application, like these are all kind the kinds of things that are gonna become deeply embedded in your life and you're probably gonna use them every single day.

then, you know, like for me, like, you know, operating in the kind of [00:45:00] design and art world. Uh, I can safely pick up an open source art application and use it as only one, uh, use it only for one project. So, like I love the Blender project. They're one of my favorite open source projects. Cool.

3D application. And, there's just certain, you know, professional projects you may not be able to use it for because you may need, deeper interoperability with like cinema four D. just depending on who you're collaborating on a video or a game or an animation with, there's a ton of open source formats.

It does support, but you know, depending on the team you're working with or the kinds of tools you need to integrate with, it might not be your daily driver, but I can safely pick it up for like one project that's only me working on it. Right. And so there are some kinds of self-sovereign open source tools that you, you know, you might use, just for one-off [00:46:00] projects because you can safely use those sorts of things.

and you know, if the project is no longer supported any year or, uh, isn't interoperable with, you know, your friend's software, that's fine. So I think that's like, you know, just depends on like your use case. Is this a daily driver? Is this a one off project? You know, all that kind of stuff. Hmm. I did have one other, category that I look at when it comes to choosing software.

And this is kind of a no brainer that I almost forgot to mention it, but that is how good is the UI and the ux That right, that's the user interface and user experience. Now, if I am choosing in some categories of applications. Your choice is gonna be limited. If you, if you are prioritizing things like open source, self, hostable, cross platform, all these other things, you might only have one or two choices, right?

But all other things being equal. If one has a pleasant ui, that's [00:47:00] delightful to use and it's super easy to figure out and discoverable. And the other one is old looking and. Ugly. Then obviously I'm gonna go with the one that has the better ui, the ux, so that, that one might seem a little obvious.

There's not a, a whole lot to dwell on there, but I just wanted to bring it up. It is something that goes through my head as I'm choosing software. Yeah, totally. I mean, on the note of Blender, it was like for the longest time they had this interface that felt very nineties, and I think it really harmed the adoption of the software.

you know, even though they had their reasons for it, but, you know, like before left, clicking on the mouse was the norm. Like in the nineties, like there was just like before Windows and Mac just completely, I, I guess I should say before Windows completely stole mind share. Society hadn't quite settled on this idea that like right click opens a menu and left clicked as a primary action.

[00:48:00] And, uh, it was like. You know, 'cause you would buy an Apple computer and in those days Apple computers just had a single button on the mouse and it was the PCs, it was windows with the double mouse. And then sometimes you'd go like this, the Sun Unix computers from the late eighties and early nineties would've three buttons.

I'm not talking like scroll wheel, I'm talking about like, it would be a mouse with like three discrete buttons on the face. and so there was just like a lot more like variety in terms of even mouse input. And like Blender was kind of made in that period in the nineties and they had just some kind of quirky mouse behavior and the way their UI worked and it just really confused, you know, the crap out of everyone for a long time.

And they finally updated the UI and it looks more modern now and you can use the mouse thing. And that was a huge hindrance. Even those solid 3D rendering engine, it just the, the UI messed with everybody. And then another example is pen pot. I, you know, Figma, I just, I love Figma as a piece of software.

The experience is [00:49:00] great as design software. I know they're tracking my every move and I just try to not think about it. And I've tried to adopt pen pot, which is like the self hostable open source pay to host alternative, to it so many times. And every time I try to use it, I just like, I'm frustrated within like 15 minutes or within 30 seconds.

Like the performance is just. Such garbage. And it just pains me to say that because it seems like a team of nice people working on it, working very hard, and they've actually shipped some incredibly cool features like design tokens and an open API. Like they, they, they really put a lot of thought into the.

Types of features they support, but because the rendering engine is so slow when you're using it, it just, the performance just feels so janky. And so it's like, well, it's not a daily driver. So I, I can't, I can't adopt it as a designer because of the user experience. No matter how great the ethos of the [00:50:00] team is or how much I like their feature set, the UX just, it, it doesn't work as a daily driver for me.

So. But I'm hoping that they're gonna overhaul the render engine one of these days, and I'll be able to come back on another episode and report that I've, you know, dropped Figma that, you know, one day I can dream. Yeah, that'll be cool. While you were, you were talking about that, it, it reminded me of another aspect that we haven't really covered yet, which is, well, we, we talked about health metrics of a project, right?

You go into the GitHub. Recent commits, that kind of thing. But what about monetization and a business model you've had? we've seen in the past instances of projects that come out and they're open source and they're awesome and everybody loves it. But then the maintainers, they don't get paid and they get burned out, or they get pulled onto something else or move on with their lives and the project dies on the vine.

So something else that's good to see I think is, [00:51:00] does this product or project. Have a sustainable business model or does it have a healthy monetization source? And that that can be another factor in determining what software might stick around for the long run. Yeah, that's a great point. 'cause they all have different ones.

Again, if you have one that's just like a solo dev, maintaining their free time, you know, you don't know if that project is gonna make it or not, and you know, maybe you don't wanna, you know, maybe. If, if it's going to be a pain to move off of it, it might not be your daily driver. yeah, that's, that's obviously bad.

Then you have stuff that's like signal. We've talked about signal a lot on the show. I think there's a signal Foundation. Yes. I'm pretty sure they've are funded entirely by donors. Like there's no business model for Signal, so. Okay. That's pretty interesting. And, I, I don't know what their team size is right now, but [00:52:00] I think when I first started using Signal like seven or eight years ago, it was like six people working on it or something.

Huh? At the company full time. It was, it was lean. That's what it looked like, at least. That, uh, maybe they've grown in size by now, but the point is, is that they seem to be able to persist off of this, like, Open Source foundation donor model is, is kind of a source of concern of like, well, what if whoever stops donating to them, like, who's gonna ultimately foot the bill for signal?

you gotta pay the devs for security updates and maintenance. They, they have to run some infrastructure to make that magic happen. So maybe that's a concern, but. You know, I'm not trying to like spread F about signal. I love it and use it every single day. But you have to think about these things. You know, sometimes you see with projects though, they'll have an [00:53:00] open source foundation and they'll get a lot of corporate donors and that would be good.

Like, I'm the Linux Foundation. I mean, I don't know who funds them, but it must be like corporate donors, right? I mean like, yeah, a lot of companies are on the board of the Linux Foundation, like Microsoft Red Hat. Google, et cetera. Probably open Seus, maybe. Yeah. Or canonical. Yeah. Like, so you, you know, you have companies that, that, that always makes sense if, if you have a foundation that has like a lot of corporate backing you, you at least know the foundation has deep pockets at that point.

I think another great model is just when you have a project that has a company that's incentivized, run it, I think the. Pay to host is a very valid business model, and when you just have a pay to host, at least you know that it's a company and the company has an incentive to keep supporting it.

So that also works too. But that's the kind of [00:54:00] thing is that when there's no money involved, that's where there's a little bit of that, that's almost like maybe a red flag for me. It's not a red flag that there's a malicious attempt. It's just a red flag for me of like, is it mature enough to be a daily driver?

Well, I certainly don't want to cut you off, but why don't we tease this for a future episode where we go into detail about open source business models, ethical business models, and that whole topic, and we can really do a deep dive on it. Yeah, sounds good to me. All right. Well, were there any other.

Criteria that you wanted to cover or anything else regarding our topic today of how to choose software? I don't think so. Alright. Well thanks a lot everybody, and we'll see you next time. Catch you later.

Stephen DeLorme: Hey, thanks for listening. I hope you enjoyed this episode. If you want to learn more about anything that we discussed, you can look for links in the show notes that should be in your podcast player, or you can go to atlbitlab. com [00:55:00] slash podcast. On a final note, if you found this information useful and you want to help support us, you can always send us a tip in Bitcoin.

Your support really helps us so that we can keep bringing you content like this. All right. Catch you later.